Bruhx Posted September 10, 2011 Share Posted September 10, 2011 I won't ever believe that someone got hacked where it wasn't there fault. Maybe it really wasn't, but it's just very hard for me to believe. I've been hacked once and it was honestly completely my fault. I feel like the reason why people are getting hacked a ton more is because hackers have been trying to figure out ways to trick other people into getting there information since they came out with no more limit on trading, and at about this time, a lot of people are falling for stupid tricks and not even realizing they're going to get hacked. (I'm not saying that's what happened to you, lol.) Then again, that's a complete guess because everyone who gets hacked always say they never went to any sites, NO ONE knows there password or bank pin, and all this stuff. Honestly, I kind of don't believe that. Oh & also another way to get hacked is if you login to someone else's account, because then that gives them your IP address, and that's a very important piece to the recovery. It's pretty hard to argue if you know what IP address the account is usually logging into. Link to comment Share on other sites More sharing options...
Piu Posted September 10, 2011 Share Posted September 10, 2011 Besides: the whole password system is encrypted: even admins can't see your password. What is it with all those stupidity here of people who don't know what they are talking about making false claims? Passwords are easily decrypted unless the hash is encrypted based on your hardware or something. And if you search around, you'd see some people actually have their hands on several databases. I was just pointing out that with the information they have PLUS the information the OP had revealed himself is what helped the hackers for the whole recovery process. [hide][hide][hide][hide][hide][hide][hide][hide][hide][hide][hide][hide][hide][hide][hide][hide][hide][hide][hide][hide][hide][hide][hide][hide][hide][hide][hide][hide][hide][hide]Never gonna give you up.[/hide][/hide][/hide][/hide][/hide][/hide][/hide][/hide][/hide][/hide][/hide][/hide][/hide][/hide][/hide][/hide][/hide][/hide][/hide][/hide][/hide][/hide][/hide][/hide][/hide][/hide][/hide][/hide][/hide][/hide]"We don't want players to be able to buy their way to success in RuneScape. If we let players start doing this, it devalues RuneScape for others. We feel your status in real-life shouldn't affect your ability to be successful in RuneScape" Jagex 01/04/01 - 02/03/12 Link to comment Share on other sites More sharing options...
ForsakenMage Posted September 10, 2011 Share Posted September 10, 2011 If you guys do happen to see your personal details posted on pastebin, report it to have it removed, then use Google's webmaster tools to request for removal from Google cache. Adventurer's Log || YouTube || Facebook || Tip.it Times Work || Wanna Join the Editorial Panel?Maxed Out 01 October 2012 PDT Link to comment Share on other sites More sharing options...
lordkafei Posted September 10, 2011 Share Posted September 10, 2011 Hacked, no... but I get a lot more phishing emails than I used to. Today's email originated from Seoul, ROK: 110.45.140.114 The domain that the phishers are directing people to is registered in Beijing, PRC http://whois.domaint...com/axlogin.com I'd forward this to Jagex in its entirety if I had an address. Their phishing reporting topic on RSOF only allows 2000 characters... not enough room to even paste in the complete headers. Nice move there. Most companies just have an email address that you are supposed to forward phishing emails to... PvP is not for meIn the 3rd Year of the BoycottReal-world money saved since FT/W: Hundreds of DollarsReal-world time saved since FT/W: Thousands of Hours Link to comment Share on other sites More sharing options...
Logdotzip Posted September 10, 2011 Share Posted September 10, 2011 its too bad there's no option for older accounts to switch their login name to en email... if you made a brand new email for your login information, you would be unhackable, no? they wouldnt be able to login my youtube Link to comment Share on other sites More sharing options...
pulli23 Posted September 10, 2011 Share Posted September 10, 2011 Besides: the whole password system is encrypted: even admins can't see your password. What is it with all those stupidity here of people who don't know what they are talking about making false claims? Passwords are easily decrypted unless the hash is encrypted based on your hardware or something. And if you search around, you'd see some people actually have their hands on several databases. I was just pointing out that with the information they have PLUS the information the OP had revealed himself is what helped the hackers for the whole recovery process.Sigh: good luck with decrypting them. It will take you what, a thousand years to decrypt a mysql table? Really don't just believe anything you read, be critical, LEARN before posting statements. IPB uses a randomized salt, so it is impossible to decrypt. Unless you know the salt (impossible) - or use brute force methods. First they came to fishingand I didn't speak out because I wasn't fishing Then they came to the yewsand I didn't speak out because I didn't cut yews Then they came for the oresand I didn't speak out because I didn't collect ores Then they came for meand there was no one left to speak out for me. Link to comment Share on other sites More sharing options...
bedman Posted September 10, 2011 Share Posted September 10, 2011 A lot of it is from people recovering accounts. Various groups hack websites and get their databases (fansites and forums are big targets specifically older ones). Someone got a hold of an older version of tip.its database. Also they go around the runescape classic forum on here and pick out names (because most likely the don't still play). If you are on damage incorporated they got hacked i think the beginning out august and their database was up for sale not too long ago. Also even when the passwords are encrypted if you have an semi easy password there are ways of "decrypting it" or at least having a website go through combos of passwords such as md5 and you can just search it on there http://www.md5decrypter.co.uk/. Some bad language but you can see he has tip.its database [hide][/hide] And anyone who spends 5 minutes on pastebin can find loads of userbase dumps for rs accounts. All of this info people post about themselves is just helpful for people trying to steal their account. The most valuable parts being the creation date(all the hacking sites have links to tip.its threads where you post when you started playing) and first password(which is usually easy to guess because most people who played back then had an easy password, or even search the 100 most used passwords). Damn, I joined tip it around that time, and I'm not sure what password I had back then. I don't think I ever used that on runescape, but I'm not 100% sure. Anything I can do to secure my account even more? I have random recoveries with the answer written down and hidden in my room, my tip it account is connected to an old hotmail account I never use anymore (and that I never connected my RS account to). My runescape character is connected to my main gmail account though, might change that EDIT: just checked my spam(on my regular emailadress) and I have some emails about runescape: "greetings, it has come to our attention that you are selling your runescape account..." (I don't dare to open it). This worries me quite a bit, because I wouldn't think hackers (or the ones trying) know about that emailadress. I have some emails from jagex etc. so it means that if that gmail account gets hacked, I'm screwed. What do? A Guide to Chinning in Ape atoll: up to 325kxp/h! Link to comment Share on other sites More sharing options...
Nukearcher Posted September 10, 2011 Share Posted September 10, 2011 theres flaw in jagex account recovery if your account havent logged in for while its easy to recover without any info pretty much Ranged 101/99, Str 105/99, Att 105/99, Hp 106/99, Def 100/70, Magic 102/99 Link to comment Share on other sites More sharing options...
@Dan3HitU Posted September 10, 2011 Author Share Posted September 10, 2011 theres flaw in jagex account recovery if your account havent logged in for while its easy to recover without any info pretty muchI think that's what has happened, someone has obviously recovered my account after loads of attempts and eventually got through. I think it's clearly stupid that Jagex don't see that an account is inactive though and that if you're recovering an account from say another country, they do nothing to stop it. [-- DYNAMIC SIGNATURES FOR RUNESCAPE 3 & OLDSCHOOL 2007 RUNESCAPE --] Link to comment Share on other sites More sharing options...
eee Posted September 10, 2011 Share Posted September 10, 2011 theres flaw in jagex account recovery if your account havent logged in for while its easy to recover without any info pretty muchI think that's what has happened, someone has obviously recovered my account after loads of attempts and eventually got through. I think it's clearly stupid that Jagex don't see that an account is inactive though and that if you're recovering an account from say another country, they do nothing to stop it.Inactivity and repeated attempts could also be a sign that the owner has actually forgotten their details though. Location really doesn't matter because account recoverers will research their target's location and make all attempts through proxies. Link to comment Share on other sites More sharing options...
SixFootOne Posted September 10, 2011 Share Posted September 10, 2011 Damn, I joined tip it around that time, and I'm not sure what password I had back then. I don't think I ever used that on runescape, but I'm not 100% sure. Anything I can do to secure my account even more? I have random recoveries with the answer written down and hidden in my room, my tip it account is connected to an old hotmail account I never use anymore (and that I never connected my RS account to). My runescape character is connected to my main gmail account though, might change that EDIT: just checked my spam(on my regular emailadress) and I have some emails about runescape: "greetings, it has come to our attention that you are selling your runescape account..." (I don't dare to open it). This worries me quite a bit, because I wouldn't think hackers (or the ones trying) know about that emailadress. I have some emails from jagex etc. so it means that if that gmail account gets hacked, I'm screwed. What do? If you are at least semi active you are fine. That' is more of a concern for people who stop playing for long periods of time. Also with that info alone they usually won't get the account. If you don't go around responding to random emails you get from them (they can find your ip from that and then guess what isp company you used to create the account) you are also doing yourself a favor. I would make sure your email is secure though. Gmail is nice because you can have it linked to phone numbers and have them text you reset passwords in case it gets compromised. Sadly recovery questions don't seem to really lock down the security of your account but they can help. Just keep info like creation date, previous passwords, isp that you created the account/last used, have your email linked to your account, have recovery questions set, log in a 2 times a week and your will be pretty safe. Link to comment Share on other sites More sharing options...
Drazhor Posted September 10, 2011 Share Posted September 10, 2011 It seems quite a lot of tiffers have been hacked since Feb :o Visit my blog! Click the madness for more madness! Link to comment Share on other sites More sharing options...
@Dan3HitU Posted September 10, 2011 Author Share Posted September 10, 2011 Just to be 100% clear (for anyone unsure), there is no chance I was keylogged. I haven't been on the computer that I "only" use for RuneScape, I have a laptop I use for everything else which I've probably only used 5 times since March. I've been on my Xbox 360 generally and haven't had time (or interest if I'm honest) for RuneScape which doesn't even use the same connection that I use for RuneScape. So the only option is that someone tried recovering my account over and over again. [-- DYNAMIC SIGNATURES FOR RUNESCAPE 3 & OLDSCHOOL 2007 RUNESCAPE --] Link to comment Share on other sites More sharing options...
@Dan3HitU Posted September 10, 2011 Author Share Posted September 10, 2011 Got this picture sent to me through Twitter, guy said he found it on a forum. By looks of it, it was a recovery attempt. [-- DYNAMIC SIGNATURES FOR RUNESCAPE 3 & OLDSCHOOL 2007 RUNESCAPE --] Link to comment Share on other sites More sharing options...
_YB_ Posted September 10, 2011 Share Posted September 10, 2011 Got this picture sent to me through Twitter, guy said he found it on a forum. By looks of it, it was a recovery attempt.I spoke to Sly, it wasn't him. Someone's put his name in the notes to get it blamed on him it wasn't him, he doesn't recover anymore he even helped Binu22 to get hes account back. [spoiler=asf] Link to comment Share on other sites More sharing options...
Saradomin_Mage Posted September 10, 2011 Share Posted September 10, 2011 What exactly is the "Try harder plox" thing supposed to be, actually? In real life MMO you don't get 99 smithing by making endless bronze daggers. Link to comment Share on other sites More sharing options...
BioIce Posted September 10, 2011 Share Posted September 10, 2011 Mod Chrisso seems to be really new at Jagex. That thread mentions him having only been there for a year somewhere in one of his posts, he got bumped up from customer support to game testing. Prepare to Die! Path of Exile RPG "Think where man's glory most begins and ends, and say my glory was I had such friends." Yeats Link to comment Share on other sites More sharing options...
Piu Posted September 10, 2011 Share Posted September 10, 2011 'Try harder plox' was a message to a group of recoverers's hack threat I think. Which resulted people like Binu and Gertjaars being hacked. EDIT: Derp, didn't see YB's photo. [hide][hide][hide][hide][hide][hide][hide][hide][hide][hide][hide][hide][hide][hide][hide][hide][hide][hide][hide][hide][hide][hide][hide][hide][hide][hide][hide][hide][hide][hide]Never gonna give you up.[/hide][/hide][/hide][/hide][/hide][/hide][/hide][/hide][/hide][/hide][/hide][/hide][/hide][/hide][/hide][/hide][/hide][/hide][/hide][/hide][/hide][/hide][/hide][/hide][/hide][/hide][/hide][/hide][/hide][/hide]"We don't want players to be able to buy their way to success in RuneScape. If we let players start doing this, it devalues RuneScape for others. We feel your status in real-life shouldn't affect your ability to be successful in RuneScape" Jagex 01/04/01 - 02/03/12 Link to comment Share on other sites More sharing options...
rsboy Posted September 10, 2011 Share Posted September 10, 2011 I got nailed :( like 2 weeks ago. Link to comment Share on other sites More sharing options...
Riptide Mage Posted September 10, 2011 Share Posted September 10, 2011 Besides: the whole password system is encrypted: even admins can't see your password. What is it with all those stupidity here of people who don't know what they are talking about making false claims? Passwords are easily decrypted unless the hash is encrypted based on your hardware or something. And if you search around, you'd see some people actually have their hands on several databases. I was just pointing out that with the information they have PLUS the information the OP had revealed himself is what helped the hackers for the whole recovery process.Sigh: good luck with decrypting them. It will take you what, a thousand years to decrypt a mysql table? Really don't just believe anything you read, be critical, LEARN before posting statements. IPB uses a randomized salt, so it is impossible to decrypt. Unless you know the salt (impossible) - or use brute force methods. Salted hashes are far from impossible to break. If someone were to compromise the server they would be able to dump the sql tables as well as view the salt. Examples: Only hashed - md5($Password) - Easily cracked, a publicly available 380 gb rainbow table will break any password that uses numbers, letters (capital and lower), and spaces; extremely vulnerable to sql injection Hashed and salted using a global salt - md5($Password.$SiteSalt) - Just as easily cracked as a password that has only been hashed (if the hash is obtained from the webserver); however, this would require generating a custom rainbow table which takes a bit amount of time (giving the site time to inform users) Hashed and salted using a user salt - md5($Password.$UserSalt) - Requires a new rainbow table for every user (See next paragraph); this is extremely vulnerable to sql injection if the default hashing algorithm has not been changed, IPB uses md5(md5($salt).md5($password)) by default, I hope tip.it changed it Hashed and salted twice - md5($UserSalt.$Password.$SiteSalt) - Requires a new rainbow table for every user, which is very impractical unless targeting specific users, usually in this case the hacker will run a list of common passwords through the hashing algorithm for each user, hoping to crack a percentage (interesting note: I recently redid the security on a site I maintain that has 25,000 users; of those users 6% used one of the 5000 most common passwords [based on this] and 4% used their username as their password, extrapolating that to the worst case scenario where tip.it is breached, at least 20,000 accounts would be compromised with ease, and even more would be compromised after using a dictionary based attack [of users who used a dictionary word, 10% used the word followed by the number 1]) One of the best ways of ensuring user security after a hack is by using two salts, a site wide salt and a individual salt. Unless the sql server and the webserver were located in two different places and only the sql server was breached would an attacker ever need to decrypt the sql database. If the webserver is breached it WILL have the sql connection details in plain text in order for the site to function (or possibly encrypted using zend, but that that's still easy to bypass) and it WILL have a any site-wide salt in plain text. You make it sound like running through a few level 87 monsters is hard which it really shouldn't be at your level. Link to comment Share on other sites More sharing options...
Toad Posted September 10, 2011 Share Posted September 10, 2011 I don't think it's necessarily the way the system works that needs to be fixed, I just think added security needs to be implemented. Link to comment Share on other sites More sharing options...
RoswellCrash Posted September 10, 2011 Share Posted September 10, 2011 I don't think it's necessarily the way the system works that needs to be fixed, I just think added security needs to be implemented. The old memory card device or card system Entropia Universe use would be good, but cost. Maybe it could be free with a year/or two of membership subscription (a membership incentive they might want to try, or pay for it). - Twitter | RuneScape FB Group | My PC Link to comment Share on other sites More sharing options...
ilovecuttingyews Posted September 10, 2011 Share Posted September 10, 2011 I don't think it's necessarily the way the system works that needs to be fixed, I just think added security needs to be implemented.The old memory card device or card system Entropia Universe use would be good, but cost. Maybe it could be free with a year/or two of membership subscription (a membership incentive they might want to try, or pay for it).Jagex initially dismissed the security dongle because people dismissed the extra bank space incentive as RWT'ing. Maybe with the massive increase in hackings, and Jagex's new leadership, and a newfound thrist for money will convince Jagex to start selling these. If it was anything under $20, I would probably buy one. Link to comment Share on other sites More sharing options...
RoswellCrash Posted September 10, 2011 Share Posted September 10, 2011 Yeah I use the card system supplied by EU works well. - Twitter | RuneScape FB Group | My PC Link to comment Share on other sites More sharing options...
Sir_Squab Posted September 10, 2011 Share Posted September 10, 2011 Besides: the whole password system is encrypted: even admins can't see your password. What is it with all those stupidity here of people who don't know what they are talking about making false claims? Passwords are easily decrypted unless the hash is encrypted based on your hardware or something. And if you search around, you'd see some people actually have their hands on several databases. I was just pointing out that with the information they have PLUS the information the OP had revealed himself is what helped the hackers for the whole recovery process.Sigh: good luck with decrypting them. It will take you what, a thousand years to decrypt a mysql table? Really don't just believe anything you read, be critical, LEARN before posting statements. IPB uses a randomized salt, so it is impossible to decrypt. Unless you know the salt (impossible) - or use brute force methods. Salted hashes are far from impossible to break. If someone were to compromise the server they would be able to dump the sql tables as well as view the salt. Examples: Only hashed - md5($Password) - Easily cracked, a publicly available 380 gb rainbow table will break any password that uses numbers, letters (capital and lower), and spaces; extremely vulnerable to sql injection Hashed and salted using a global salt - md5($Password.$SiteSalt) - Just as easily cracked as a password that has only been hashed (if the hash is obtained from the webserver); however, this would require generating a custom rainbow table which takes a bit amount of time (giving the site time to inform users) Hashed and salted using a user salt - md5($Password.$UserSalt) - Requires a new rainbow table for every user (See next paragraph); this is extremely vulnerable to sql injection if the default hashing algorithm has not been changed, IPB uses md5(md5($salt).md5($password)) by default, I hope tip.it changed it Hashed and salted twice - md5($UserSalt.$Password.$SiteSalt) - Requires a new rainbow table for every user, which is very impractical unless targeting specific users, usually in this case the hacker will run a list of common passwords through the hashing algorithm for each user, hoping to crack a percentage (interesting note: I recently redid the security on a site I maintain that has 25,000 users; of those users 6% used one of the 5000 most common passwords [based on this] and 4% used their username as their password, extrapolating that to the worst case scenario where tip.it is breached, at least 20,000 accounts would be compromised with ease, and even more would be compromised after using a dictionary based attack [of users who used a dictionary word, 10% used the word followed by the number 1]) One of the best ways of ensuring user security after a hack is by using two salts, a site wide salt and a individual salt. Unless the sql server and the webserver were located in two different places and only the sql server was breached would an attacker ever need to decrypt the sql database. If the webserver is breached it WILL have the sql connection details in plain text in order for the site to function (or possibly encrypted using zend, but that that's still easy to bypass) and it WILL have a any site-wide salt in plain text. I have no idea what in the hell any of this is >_< Squab unleashes Megiddo! Completed all quests and hard diaries. 75+ Skiller. (At one point.) 2000+ total. 99 Magic.[spoiler=The rest of my sig. You know you wanna see it.]my difinition of noob is i dont like u, either u are better then me or u are worst them meBuying spins make you a bad person...don't do it. It's like buying nukes for North Korea.Well if it bothers you that the game is more fun now, then you can go cry in a corner. :shame:your article was the equivalent of a circumcized porcupineThe only thing wrong with it is the lack of a percentage for when you need to stroke it. Poignant Purple to Lokie's Ravishing Red and Alg's Brilliant Blue. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now